Re: An idea regarding "jws-2020" from Markus Sabadello on 2023-01-19 (public-vc-wg@w3.org from January 2023)

From: Markus Sabadello <markus@danubetech.com>
Date: Thu, 19 Jan 2023 22:24:06 +0100
To: public-vc-wg@w3.org
Message-ID: <b6b5af07-65fb-f105-bae0-a85b62eb2e70@danubetech.com>

It's really confusing that vc-jws 
<https://transmute-industries.github.io/vc-jws/> and vc-jws-2020 
<https://w3c.github.io/vc-jws-2020/> sound so similar, but are very 
different things, so +1 to a naming discussion.

What I like about the quite recent vc-jws proposal is that it cleanly 
separates the data model layer from the security layer, unlike the 
commonly used vc-jwt which mixes the layers.

The downside of vc-jws as opposed to vc-jws-2020 is of course that it 
only signs the JSON-LD document, not the RDF dataset behind it.

If a JSON-LD @context changes, then a vc-jws signature would still be 
valid, even though the underlying data has changed, whereas a 
vc-jws-2020 signature would not be valid anymore.

This difference probably has some special significance in relation to 
the "default @vocab" proposal.
E.g. imagine a situation where some term is initially undefined in a 
@context, and then later it gets defined.
In this situation, a vc-jws signature would remain valid, whereas a 
vc-jws-2020 signature wouldn't.

Markus

On 1/18/23 14:55, Orie Steele wrote:
> First, there is a proposal to change the name of the spec:
>
> https://github.com/w3c/vc-jws-2020/issues/31
> https://github.com/w3c/vc-jws-2020/pull/32
>
> Separate from this, we now have a way to secure 
> "application/credential+ld+json", without using URDNA 2015.
>
> https://transmute-industries.github.io/vc-jws/
> https://github.com/transmute-industries/vc-jws/blob/main/test-vectors/generate.js#L22
>
> This raises questions for me on the value of retaining this "data 
> integrity suite".
>
> Perhaps it would be more valuable to just define how to secure the 
> media type for the core data model with JWS.
>
> The working group has very limited bandwidth for technical contribution.
>
> Since its inception, this work item has received very low contribution.
>
> If I had to choose between having JsonWebSignature2020 or having a W3C 
> spec that using JWS to secure the core data model (without URDNA2015),
> I would happily take the latter... and if enough others made the same 
> choice, I see no value in the former.
>
> Wondering if we might drop URDNA2015 from JsonWebSignature2020, and 
> refactor the spec to align with the vc-jws proposal above.
>
> Regards,
>
> OS
>
>
> -- 
> *ORIE STEELE*
> Chief Technical Officer
> www.transmute.industries
>
> <https://www.transmute.industries>

Received on Thursday, 19 January 2023 21:24:22 UTC